CVE-2024-55636
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
We have discovered 123,597 live websites that are affected by CVE-2024-55636.
Affected Software
| Product |  Drupal |
| Category | Content Management System |
| Vulnerable Domains | 123,597 live websites (49.20% of Drupal install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 269 versions ( 88.20% of all versions) |
Common Weakness Enumeration
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object AttributesDetails
- Published - Dec 9, 2024
- Updated - Dec 16, 2024
Credits
- Drew Webber (finder)
- Drew Webber (remediation developer)
- Lee Rowlands (remediation developer)
- Juraj Nemec (coordinator)
- Benji Fisher (coordinator)
- xjm (coordinator)
CWE
CVE References
CWE References
CVE-2024-55636 usage by Country
 United States | 52,623 websites |
 Germany | 13,436 websites |
 France | 9,552 websites |
 Belgium | 5,382 websites |
 Netherlands | 4,563 websites |
 Russia | 3,468 websites |
 GB | 3,414 websites |
 Switzerland | 2,614 websites |
 Spain | 2,415 websites |
 Canada | 2,087 websites |
CVE-2024-55636 usage by TLD
| .com | 33,123 websites |
| .org | 12,024 websites |
| .de | 8,230 websites |
| .edu | 7,583 websites |
| .be | 5,671 websites |
| .fr | 5,182 websites |
| .nl | 3,656 websites |
| .ru | 2,951 websites |
| .net | 2,346 websites |
| .ch | 2,331 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-55636
Top websites that are affected by CVE-2024-55636. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.**.uk | United States | *** | |
| ***.gov | United States | *** | |
| ****.fr | France | *** | |
| ***.gov | United States | *** | |
| ***.gov | United States | *,*** | |
| ***.org | France | *,*** | |
| **************************.nl | Netherlands | *,*** | |
| ***.gov | United States | *,*** | |
| *******.gov | United States | *,*** | |
| ***.gov | United States | *,*** |
FAQ
CVE-2024-55636 is Improperly Controlled Modification of Dynamically-Determined Object Attributes in Drupal
A total of 123,597 websites have been identified as vulnerable to CVE-2024-55636, discovered through global website indexing conducted by WebTechSurvey.
Drupal is susceptible to CVE-2024-55636 vulnerability.
Drupal versions before 11.0.8 are vulnerable to CVE-2024-55636.
Version 11.0.8 of Drupal addresses the CVE-2024-55636 security vulnerability.